Currently we see about 12,000+ websites infected with this code. These sites are usually infected with a variety of .htaccess file infections as well, so just removing this code will not clean your website.

This will add (append) whatever is in the Thumbs.db file to files when the page is rendered. This will show the infectious code in Thumbs.db after running the PHP code in Thumbs.db, when you view source on an infected web page, but when you look in the raw code of the index file, the code won’t be there.

This line is usually preceeded by many, many blank lines in an attempt to hide it. Inside the Thumbs.db file is code like:

Which is the infectious code delivered to any web page rendered from the folder with the above .htaccess file.

There doesn’t appear to be any common characteristic of the websites infected with this, other than the infected websites we’ve cleaned have all been WordPress. They were already at the current version, some have the vulnerable timthumb.php files, some don’t. Some are using FCKeditor in one way or another and we have seen this as a successful attack vector for quite awhile.

If you have this type of infection, please post a comment with any other information you may have regarding this. Mostly, what plugins you have on your site. Maybe then as a community we can zero in on the root cause.

If you found this post useful or informative, please Tweet about us, like us on Facebook, or just post a comment.

As always, if you need help cleaning this from your website, please send me an email: traef@wewatchyourwebsite.com.